Disclosed herein are systems and methods of executing scanning software, such an executable software program or script (e.g., PowerShell script), by a computing device of an enterprise, such as a security server, may instruct the computing device to search all or a subset of computing devices in an enterprise network. The scanning software may identify PowerShell scripts containing particular malware attributes, according to a malicious-code dataset. The computing system executing the scanning software may scan through the identified PowerShell scripts to identify particular strings, values, or code-portions, and take a remedial action according to the scanning software programming.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method comprising: receiving, by at least one server, a plurality of log files from a plurality of data sources, wherein each of the plurality of log files contains a domain name field; identifying, by the at least one server, non-identical yet equivalent domain names that each include an identical consecutive character pattern; in response to identifying at least two non-identical yet equivalent domain names parsed from data fields of the plurality of log files that include the identical consecutive character pattern, replacing one or more of the at least two non-identical yet equivalent domain names with one or more replacement unique domain names; identifying, by the at least one server, one or more unique domain names and eliminating one or more duplicative domain names, wherein the one or more duplicative domain names include at least one of the one or more replacement unique domain names; determining a credibility score for the one or more unique domain names based on a length of the one or more unique domain names and a comparison of the one or more unique domain names to a domain name corpus stored in a dictionary database; and updating a blacklist record to include the one or more unique domain names based on the credibility score.
2. The method of claim 1, further comprising: querying, by the at least one server, the blacklist record, the blacklist record further comprising a set of one or more blocked domain names predetermined to fail an acceptability threshold; automatically updating, by the at least one server, a case management database with the one or more unique domain names identified in the blacklist record; and automatically transmitting an alert for the one or more unique domain names in the blacklist record.
3. The method of claim 1, further comprising: updating, by the at least one server, a case management database to include one or more characteristics associated with the one or more unique domain names identified in the blacklist record, wherein the blacklist record is configured to store one or more characteristics of each respective blocked domain name in the blacklist record.
4. The method of claim 1, further comprising: storing, by the at least one server, into the blacklist record a new blocked domain name comprising one or more characteristics associated with the one or more unique domain names in response to receiving a block instruction from an administrator device.
5. The method of claim 1, further comprising: updating, by the at least one server, a whitelist record to include a unique domain name from the one or more unique domain names in response to receiving an instruction indicating the unique domain name is acceptable from an administrator device, the whitelist record comprising a set of one or more acceptable domain names.
6. The method of claim 1, further comprising: querying, by the at least one server, a whitelist record comprising a set of one or more acceptable domain names.
7. The method of claim 1, wherein determining the credibility score for the one or more unique domain names further comprises identifying a number of matches to a plurality of words in the domain name corpus.
8. A system comprising: one or more processors; and one or more memories storing instructions that, when executed by the one or more processors, cause the system to perform a process comprising: receiving, by at least one server, a plurality of log files from a plurality of data sources, wherein each of the plurality of log files contains a domain name field; identifying, by the at least one server, non-identical yet equivalent domain names that each include an identical consecutive character pattern; in response to identifying at least two non-identical yet equivalent domain names parsed from data fields of the plurality of log files that include the identical consecutive character pattern, replacing one or more of the at least two non-identical yet equivalent domain names with one or more replacement unique domain names; identifying, by the at least one server, one or more unique domain names and eliminating one or more duplicative domain names, wherein the one or more duplicative domain names include at least one of the one or more replacement unique domain names; determining a credibility score for the one or more unique domain names based on a length of the one or more unique domain names and a comparison of the one or more unique domain names to a domain name corpus stored in a dictionary database; and updating a blacklist record to include the one or more unique domain names based on the credibility score.
9. The system according to claim 8, wherein the process further comprises: querying, by the at least one server, the blacklist record, the blacklist record further comprising a set of one or more blocked domain names predetermined to fail an acceptability threshold; automatically updating, by the at least one server, a case management database with the one or more unique domain names identified in the blacklist record; and automatically transmitting an alert for the one or more unique domain names in the blacklist record.
10. The system according to claim 8, wherein the process further comprises: updating, by the at least one server, a case management database to include one or more characteristics associated with the one or more unique domain names identified in the blacklist record, wherein the blacklist record is configured to store one or more characteristics of each respective blocked domain name in the blacklist record.
11. The system according to claim 8, wherein the process further comprises: storing, by the at least one server, into the blacklist record a new blocked domain name comprising one or more characteristics associated with the one or more unique domain names in response to receiving a block instruction from an administrator device.
12. The system according to claim 8, wherein the process further comprises: updating, by the at least one server, a whitelist record to include a unique domain name from the one or more unique domain names in response to receiving an instruction indicating the unique domain name is acceptable from an administrator device, the whitelist record comprising a set of one or more acceptable domain names.
13. The system according to claim 8, wherein the process further comprises: querying, by the at least one server, a whitelist record comprising a set of one or more acceptable domain names.
14. The system according to claim 8, wherein determining the credibility score for the one or more unique domain names further comprises identifying a number of matches to a plurality of words in the domain name corpus.
15. A non-transitory computer-readable medium storing instructions that, when executed by a computing system, cause the computing system to perform operations comprising: receiving, by at least one server, a plurality of log files from a plurality of data sources, wherein each of the plurality of log files contains a domain name field; identifying, by the at least one server, non-identical yet equivalent domain names that each include an identical consecutive character pattern; in response to identifying at least two non-identical yet equivalent domain names parsed from data fields of the plurality of log files that include the identical consecutive character pattern, replacing one or more of the at least two non-identical yet equivalent domain names with one or more replacement unique domain names; identifying, by the at least one server, one or more unique domain names and eliminating one or more duplicative domain names, wherein the one or more duplicative domain names include at least one of the one or more replacement unique domain names; determining a credibility score for the one or more unique domain names based on a length of the one or more unique domain names and a comparison of the one or more unique domain names to a domain name corpus stored in a dictionary database; and updating a blacklist record to include the one or more unique domain names based on the credibility score.
16. The non-transitory computer-readable medium of claim 15, wherein the operations further comprise: querying, by the at least one server, the blacklist record, the blacklist record further comprising a set of one or more blocked domain names predetermined to fail an acceptability threshold; automatically updating, by the at least one server, a case management database with the one or more unique domain names identified in the blacklist record; and automatically transmitting an alert for the one or more unique domain names in the blacklist record.
17. The non-transitory computer-readable medium of claim 15, wherein the operations further comprise: updating, by the at least one server, a case management database to include one or more characteristics associated with the one or more unique domain names identified in the blacklist record, wherein the blacklist record is configured to store one or more characteristics of each respective blocked domain name in the blacklist record.
18. The non-transitory computer-readable medium of claim 15, wherein the operations further comprise: storing, by the at least one server, into the blacklist record a new blocked domain name comprising one or more characteristics associated with the one or more unique domain names in response to receiving a block instruction from an administrator device.
19. The non-transitory computer-readable medium of claim 15, wherein the operations further comprise: updating, by the at least one server, a whitelist record to include a unique domain name from the one or more unique domain names in response to receiving an instruction indicating the unique domain name is acceptable from an administrator device, the whitelist record comprising a set of one or more acceptable domain names.
20. The non-transitory computer-readable medium of claim 15, wherein the operations further comprise: querying, by the at least one server, a whitelist record comprising a set of one or more acceptable domain names, wherein determining the credibility score for the one or more unique domain names further comprises identifying a number of matches to a plurality of words in the domain name corpus.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
January 19, 2024
May 6, 2025
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.